9/07/2006 @ 6:00AM

Laptop Hall Of Shame

When the history of personal privacy is written–and there are persons who monitor this sort of thing–they will call this “The Year of the Stolen Laptop.”

The number of incidents has been astounding, topped by the theft of a laptop computer last May from the residence of a U.S. Department of Veterans Affairs staff person; the computer contained millions of names, birth dates and Social Security numbers. Law enforcement officers actually recovered the stolen laptop and arrested two suspects, and they have found no evidence that the data inside was used to compromise anybody’s privacy.

But up to 26 million veterans and active-duty military personnel still experienced the stress of knowing that their information was available to persons who might have used it in adverse ways.

Each had to go through the Kafkaesque ritual of checking their credit reports, notifying banks and other businesses, sometimes consuming hours of personal time to get to the bottom of the matter. They learned that the greatest danger of being in a database that is lost or stolen is having your Social Security number vulnerable. With those nine digits, identity thieves can order products and services by misappropriating your credit report or, less likely, they can establish new identities for immigrants without documentation.

But institutions that are storing sensitive personal information on laptop computers apparently still are not motivated to take even the most basic precautions.

ING‘s
U.S. Financial Services office in Washington, D.C., lost the Social Security numbers of 13,000 public employees.
Royal Ahold
subsidiary Ahold USA experienced the loss of data on employee stock options entrusted to Deloitte Accountants, one month after Ahold had information on its grocery-store retirees lost in a laptop taken from
Electronic Data Systems
. And at
Equifax
, the regulated credit-bureau company, up to 2,500 employees’ Social Security numbers went missing when one of its people wandering in London had a laptop stolen.

Mercantile Potomac Bank in Bethesda, Md., lost Social Security numbers and account numbers of nearly 50,000 customers;
Aetna
lost 38,000 customer records;
Hewlett-Packard
lost records on 196,000 current and former employees. At Fidelity Investments, 196,000 client records went astray.

The list goes on: Mount St. Mary’s Hospital in upstate New York lost 17,000 patient records; Vermont State College lost 20,000 faculty, staff and student files; Hotels.com, a subsidiary of
Expedia
, lost the records of 250,000 customers entrusted to Ernst & Young.

In July, a U.S. government-owned laptop with thousands of Florida drivers license records was stolen from a vehicle in Florida while an official ate lunch inside a restaurant.

Data in these volumes and with this sensitivity customarily had been stored in central computers, but no longer. The records are now transferred to electronic notebooks, apparently so that employees may massage the data while traveling and display it at out-of-town meetings. That might be understandable. But can’t they take precautions before they permit this? Was the material not password-protected? Don’t these companies get computers with locks and keys? Was the data encrypted? Ernst & Young didn’t encrypt the Hotels.com customer records that it allowed an employee to carry around. The Florida database was part of an anti-fraud investigation, but it wasn’t encrypted.

The monthly newsletter I publish, Privacy Journal, reported 24 serious instances of Social Security numbers and other sensitive data compromised through stolen or lost laptops in 2006. The newsletter called it the “Lost or Stolen Laptops Hall of Shame.” And we still have four months left in 2006. There were at least ten incidents during the final four months of 2005. All these incidents involved companies that handle personal information routinely. (Apparently too routinely!)

The biggest insult was that the Federal Trade Commission, which is responsible for protecting Americans from fraud and identity theft, let two of its own attorneys leave the building in June with data about individuals–addresses, dates of birth, Social Security numbers, bank-account numbers–on their laptops. The devices were stolen. The FTC said it would provide free credit monitoring for those persons whose private data was compromised.

California and more than 20 other states, plus the City of New York, require companies to reveal these security breaches when they happen. Still, we must be hearing only about a small percentage, because in a new report by the Ponemon Institute, 80% of the 480 companies and government agencies it surveyed reported losing data through laptop theft–all in the past 12 months. The worse news is that an additional 10% of the companies queried did not even know whether they had lost data this way. Only 10% could safely say that they had not.

The companies were also asked how long it would take to determine exactly what sensitive data had been lost on a mobile device, and the most common answer was it was impossible to do so.

Now, there may be reasons to transport company data in mobile electronic media–people do work at home and on the road, after all. And most of the evidence so far shows that thieves are interested in the hardware, not the data.

But we need some legislation to require–at least for the next couple of years–that databases with individuals’ account numbers, medical data and financial information not leave a company’s premises in portable media like a laptop or personal data assistant–and certainly not without encryption or password protection.

With or without government intervention, encryption and passwords should certainly be the first line of defense for any corporation. Perhaps this will force auto and home burglars to move on to some other article of choice for stealing.

The next step: Figuring out how to make personal data self-destruct when the laptop leaves the custody of the owner.

Robert Ellis Smith is publisher of Privacy Journal and www.privacyjournal.net, the world’s first publication dealing with new technology and privacy.